[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

QC comparisons are DEADLY serious!

To: "Stefan Santesson" <stefan@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, "'SEIS-List'" <list@xxxxxxxxxxxxxxxxx>
Subject: QC comparisons are DEADLY serious!
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxxx>
Date: Sat, 30 Oct 1999 15:20:01 +0100
Cc: "Magnus (RSA)" <magnus@xxxxxxxxxxxxxxx>

Stefan, 

I strongly disagree on your conclusions regarding certificate comparisons. 
Rather, I consider the possibility to compare certificates from a certain issuer and CPS 
to be a major "quality" property that deserves a section of its own. 

To give an example. If you have a QC issued by a TTP (ID-certificates that 
will only be used within the issuer's own domain are pretty uninteresting) and 
your bank accepts that certificate in conjunction with its Internet-bank it 
is VERY interesting for BOTH the bank (RP) and for the customer (Subscriber) 
to know what will happen the day you log in with a renewed certificate. 
IN ADVANCE. 

So what you describe as a "minor issue" is for some people a FUNDAMENTAL 
ISSUE that the QC draft IMLHO must address in much more serious way than in V02. 

Anders



-----Original Message-----
From: Stefan Santesson <stefan@accurata.se>
To: Anders Rundgren <anders.rundgren@jaybis.com>; 'SEIS-List' <list@seis.nc-forum.com>; ietf-pkix@imc.org <ietf-pkix@imc.org>
Date: Friday, October 29, 1999 23:09
Subject: SEIS: Re: QC certificates MAY CERTAINLY be compared!


>--- Message on the SEIS mailing list (list@seis.nc-forum.com)
>
>Anders,
>
>Thank you, I have noticed your comment.
>
>The security considerations section contains CONSIDERATIONS for the general
>case and I still believe in the intent behind this sentence, as a good
>general guidance to implementations. 
>
>Setting up implementations with the intent to compare two qualified
>certificates to see if they represent the same person IS generally a bad
>service that shouldn't be performed. Since in the general case, you will
>have clear risk of misleading results.
>
>Well, if you leave the general case and go into speciffic cases such as
>comparing SEIS certificates within a local region (such as Sweden), then
>there will allways be cases where some security considerations does not
>apply (such as this particular one).
>
>I think this is a minor issue within the security consideration section
>which does not affect the implementation of the profile. Shure there are an
>even better way of expressing the original intent behind that sentence. But
>on the other hand,  there will allways be a better way of everything.
>
>I think the present description is good enough. Can you live with it ?
>
>/Stefan
>
>At 17:55 1999-10-25 +0100, Anders Rundgren wrote:
>>Stefan,
>>I have said it before and I say it again.  The following QC-statement is 
>>higly doubtful:
>>
>>"Comparing two qualified certificates to determine if they represent
>> the same physical entity may provide misleading results and should
>> not be performed"
>>
>>As you know our famous (?) SEIS-card does indeed allow certificates to
>>be compared for subject identity.   That is IMO the whole (and only) point 
>>with *real* ID-cards!
>>
>>So this is a statement of the CPS.  Not of the draft.
>>
>>
>>
>>BTW, why no explicit support for "container ID" (card serial) as most QCs 
>>will be
>>put in smart cards?  It was in SEIS already.
>>
>>
>>Anders
>>
>>
>>-----Original Message-----
>>From: Stefan Santesson <stefan@accurata.se>
>>To: ietf-pkix@imc.org <ietf-pkix@imc.org>
>>Date: Monday, October 25, 1999 14:14
>>Subject: New submitted draft for Qualified Certificates
>>
>>
>>>All,
>>>
>>>A new draft for a Qualified Certificates Profile was submitted friday 22.
>>>
>>>The new draft can be obtained from:
>>>http://www.accurata.se/QC/documents/draft-ietf-pkix-qc-02.txt
>>>
>>>The QC website has been udated accrodingly:
>>>http://www.accurata.se/QC/
>>>
>>>See also under settled topics to obtain information about major
>>>considerations since the last draft.
>>>
>>>/Stefan
>>>-------------------------------------------------------------------
>>>Stefan Santesson                <stefan@accurata.se>
>>>Accurata AB                     http://www.accurata.se
>>>Slagthuset                      Tel. +46-40 108588              
>>>211 20  Malmö                   Fax. +46-40 150790              
>>>Sweden                        Mobile +46-70 5247799
>>>
>>>PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
>>>-------------------------------------------------------------------
>>> 
>
>
>----------------- SEIS mailing list (list@seis.nc-forum.com)
>Info about this list: http://www.nc-forum.com/seis
>SEIS Contact: info@seis.se
>
>

Follow-Ups:
- Re: QC comparisons are DEADLY serious!
  - From: Stefan Santesson

Prev by Date: lifetime versus NR, Re: Comments on the PKIX Roadmap
Next by Date: Re: lifetime versus NR, Re: Comments on the PKIX Roadmap
Previous by thread: Y2K, RFC 2459, . . .
Next by thread: Re: QC comparisons are DEADLY serious!
Index(es):
- Date
- Thread